Cybersecurity Bill Stalls Again, Executive Order Coming Soon?

The comprehensive cyber-security legislation has stalled again in the United States Senate, effectively killing the bill for the rest of the year. Now all eyes turn to the president to see whether he will move forward with an executive order.

This site may earn affiliate commissions from the links on this page. Terms of use.

The comprehensive cybersecurity legislation has stalled again in the United States Senate, effectively killing the bill for the rest of the year. Will the president issue an executive order to protect the nation's critical infrastructure from cyber-attacks?

On Wednesday, the Senate voted 51-47 to end debate on the bill and move to a final vote. However, the bill needed 60 votes to break the filibuster and move forward. The proposed bill failed a similar vote back in August.

The Cybersecurity Act of 2012—from Sens. Joe Lieberman (I-Conn.), Susan Collins (R-Maine), Jay Rockefeller (D-WV), Dianne Feinstein (D-Calif), and Tom Carper (D-Del)—offers private companies incentives for adopting best practices. Under the voluntary program, organizations will be able to request federal assistance on cyber issues and receive immunity after an attack. The bill would allow the private sector and federal government to share information about threats, incidents, best practices, and fixes.

"Once again, Senate Republicans have chosen to filibuster much-needed cybersecurity legislation and, in so doing, have ignored the advice of the country's most senior military and national security officials," said Rockefeller.

Stalemate?"It is disappointing that senators haven't yet been able to reach an agreement on cybersecurity legislation—but stalemate doesn't make the issue go away," BSA President and CEO Robert Holleyman said in a statement.

Supporters of the bill had argued the legislation was necessary to protect critical infrastructure, including power grids, water systems, transportation systems, and communications networks from ever increasing cyberattacks.

"Every day that we wait, our country becomes more vulnerable to a serious cyberattack, indeed a catastrophic attack," Collins said in a statement.

Opponents had cited concerns over privacy. The Electronic Frontier Foundation called it "dangerously vague." The legislation, if it had passed, would have watered down existing privacy laws, the EFF claimed.

Most Republicans also opposed voluntary standards, arguing it would eventually lead to mandatory regulations.

"Members do disagree with the notion this problem requires legislation that increases the size of the federal government bureaucracy and places new burdens and regulation on businesses," said Sen. Charles Grassley (R-Iowa), calling the bill "flawed."

Eyes on the PresidentSenate Majority Leader Harry Reid (D-Nev.) called the bill "dead for this Congress" even as Senate Minority Leader Mitch McConnell (R-Ky.) said Congress may take up the issue again "sometime in December."

While Congress can revisit the bill again, either next month or next year with the new session of Congress, there is a possibility Pres. Barack Obama will take steps before then. Shortly after the bill stalled in August, several lawmakers had urged Obama to issue an executive order to strengthen the country's cyberdefenses. Reid reiterated the call on Wednesday.

"A bill that was and is most important to national security was just killed and that's cybersecurity. I hope President Obama uses all the authority of the executive branch at his disposal to fully protect our nation from the cybersecurity threat," Reid said.

The White House was exploring ways "to more effectively secure the nation's critical infrastructure by working collaboratively with the private sector," Caitlin Hayden, spokeswoman for the White House National Security Council, said after the vote.

A draft of the executive order has been circulating for a few months, under which the National Institute of Standards and Technology would set cybersecurity standards for eighteen critical infrastructure industries. The Department of Homeland Security would encourage private sector agencies to adopt the standards. Appropriate agencies responsible for regulating those industries would propose regulations for those organizations. The draft also set up information sharing mechanisms to make it easier to share data while ensuring privacy.

Hayden did not rule out the possibility of the executive order but emphasized that it would not be a substitute for new legislation. The order won't be able to create new powers or authorities or offer companies liability protection after a cyberattack.

"The president is determined to protect our nation against cyber threats," Hayden said.

Fahmida Y. Rashid is a senior analyst for business at PCMag.com. She focuses on ways businesses can use technology to work efficiently and easily. She is paranoid about security and privacy, and considers security implications when evaluating business technology. She has written for eWEEK, Dark Reading, and SecurityWeek covering security, core Internet infrastructure, and open source.
Follow me on Twitter: zdfyrashid
More »